Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

AnyConnect w/ Certificate: Certificate invalid for this group

Hello,

Situation:

  • About 100 VPN Clients allover the world, Version 2.5.0217
  • Using Certificates from a Microsoft CA
  • AnyConnect works fine on almost all computers with XP / Vista / Windows 7
    • On Windows 7 the root certificate must be installed manually (Certificate Web Service using Windows 2003 Server)
  • AnyConnect won't work from some laptops in Australia (Windows 7 Home, IE 8). Error Message Certificate is invalid for this group
    • The same message appears when a certificate is revoked for a working installation
    • I tried the same Root Certificate and Personal Certificate (imported the same fiels) on another computer in Germany: Worked

Could not find any help in the

  • FAQ
  • Troubleshooting Guide
  • Administration Guide

Has anybody experienced such a behaviour?

Facts:

  • Since the Gateway is in Germany, ping times are around 330ms from Australia.
  • We also tried intranet connection and internt connection, same message.

I wonder if there are Security Settings within the Internet Explorer which cause this error. The ASA web access does not work, too. (It asks for the personal certificate, then it won't continue, telling "This page cannot be displayed" in IE 8)

Everyone's tags (3)
6 REPLIES
Cisco Employee

Re: AnyConnect w/ Certificate: Certificate invalid for this grou

Possibly looks like SSL Handshkae failure, since you cannot connect from the browser also. What client certificate are you presenting to the ASA ? Make sure that the EKU (Enhanced Key Usage) extension in the Client certificate includes the "Client Authentication" capability.

A packet capture for the SSL failure will also help.

Does browser access through any other browser works ? (E.g. Firefox)

New Member

Re: AnyConnect w/ Certificate: Certificate invalid for this grou

Did you get an answer for this?  I'm seeing a similar issue.

New Member

Re: AnyConnect w/ Certificate: Certificate invalid for this grou

Hello Steven,

no, I am sorry. It turned to be a problem if exactly one computer and we decided not to follow this up anymore.

Regards

Holger

New Member

Re: AnyConnect w/ Certificate: Certificate invalid for this grou

Steven,

I had an issue first to install the Root certificates on the Windows 7 machines. Instead of using "Select storage automatically" you have to select it manually (Trusted Root Certification Authorities and if this is not enough, a second time into Intermiediate Cert. Auth.)

Maybe this helps for you

Regards

Holger

New Member

Re: AnyConnect w/ Certificate: Certificate invalid for this grou

Hi Steve,

Just wondering if you were able to resolve this issue as I am having the same issue ?

I have gotten around the issue by deleting the user in ACS as we use ACS as the radius server. The user is again dynamically created in ACS and the certificate issue disappears, however before deleting the user, I can log in fine from another workstation with my credentials and the issue is not present when logging from a different workstation. There are new anyconnect clients that seem to resolve some certificate issues, but that did not help either. Tried deleting cached and profiles and that did not help either. Deleting the user from ACS is not a good solution.

New Member

AnyConnect w/ Certificate: Certificate invalid for this group

For myself the error was related to Authentication under the Connection Profile.> Advanced

Under the Connection Profile it was configured to Pre-fill Username from Certificate but Use script to select username was configured with -None- so caused the error.

A few years late but hope this helps someone.

9161
Views
0
Helpful
6
Replies
CreatePlease to create content